Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Hacking secure systems is just the beginning of a clever hacking game.
The Bling Libra group, known as the creator of the ShinyHunters Ransomware, has changed its methods of operation, switching from selling stolen data to extortion. This became known after an incident in which Palo Alto Networks specialists identified a new tactic of attackers.
In the campaign, using legitimate credentials found in public repositories, Bling Libra gained access to the cloud resources of one of the companies on the Amazon Web Services (AWS) platform. Although the rights associated with these accounts were restricted, the group managed to infiltrate the system and conduct reconnaissance operations. To access the data, the attackers used tools such as S3 Browser and WinSCP.
The special thing about these tools for security researchers is that they generate specific events in AWS logs, which makes it possible to distinguish between actions performed by attackers and automated operations. This discovery helps security professionals to more accurately track activity in cloud environments.
Bling Libra first appeared in 2020 and has since carried out a number of major attacks, including Microsoft's GitHub and Tokopedia data breaches. The group has traditionally used legitimate credentials to gain access to databases of personal information, which it then sold on underground markets. However, in 2024, they changed tactics, starting to blackmail their victims, demanding a ransom for the safety of data.
After penetrating the system, the attackers conduct thorough reconnaissance, determining the resources available to them, and after a while they return to carry out the attack. In the campaign reviewed by Palo Alto Networks, the hackers deleted some of the data and created new S3 buckets, likely to taunt the organization. After completing the attack, Bling Libra sent a ransom letter to the victim.
This case is another reminder of the importance of regularly reviewing security settings and restricting access rights in cloud systems. Palo Alto Networks recommends using reliable analysis and monitoring tools to minimize risks and prevent such attacks.
Source
The Bling Libra group, known as the creator of the ShinyHunters Ransomware, has changed its methods of operation, switching from selling stolen data to extortion. This became known after an incident in which Palo Alto Networks specialists identified a new tactic of attackers.
In the campaign, using legitimate credentials found in public repositories, Bling Libra gained access to the cloud resources of one of the companies on the Amazon Web Services (AWS) platform. Although the rights associated with these accounts were restricted, the group managed to infiltrate the system and conduct reconnaissance operations. To access the data, the attackers used tools such as S3 Browser and WinSCP.
The special thing about these tools for security researchers is that they generate specific events in AWS logs, which makes it possible to distinguish between actions performed by attackers and automated operations. This discovery helps security professionals to more accurately track activity in cloud environments.
Bling Libra first appeared in 2020 and has since carried out a number of major attacks, including Microsoft's GitHub and Tokopedia data breaches. The group has traditionally used legitimate credentials to gain access to databases of personal information, which it then sold on underground markets. However, in 2024, they changed tactics, starting to blackmail their victims, demanding a ransom for the safety of data.
After penetrating the system, the attackers conduct thorough reconnaissance, determining the resources available to them, and after a while they return to carry out the attack. In the campaign reviewed by Palo Alto Networks, the hackers deleted some of the data and created new S3 buckets, likely to taunt the organization. After completing the attack, Bling Libra sent a ransom letter to the victim.
This case is another reminder of the importance of regularly reviewing security settings and restricting access rights in cloud systems. Palo Alto Networks recommends using reliable analysis and monitoring tools to minimize risks and prevent such attacks.
Source
